scottk/vault
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/vault.git synced 2025-10-29 09:42:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

Address OCSP client caching issue (#25986)

Browse Source 
* Address OCSP client caching issue

 - The OCSP cache built into the client that is used by cert-auth
   would cache the responses but when pulling out a cached value the
   response wasn't validating properly and was then thrown away.

 - The issue was around a confusion of the client's internal status
   vs the Go SDK OCSP status integer values.

 - Add a test that validates the cache is now used

* Add cl

* Fix PKI test failing now due to the OCSP cache working

 - Remove the previous lookup before revocation as now the OCSP
   cache works so we don't see the new revocation as we are actually
   leveraging the cache
This commit is contained in:
Steven Clark
2024-03-18 15:11:14 -04:00
committed by GitHub
parent c7bdac4081
commit 94d42235cf
3 changed files with 19 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
builtin/logical/pki/integration_test.go
View File

@@ -630,9 +630,6 @@ func TestIntegrationOCSPClientWithPKI(t *testing.T) {
return testLogger
}, 10)
err = ocspClient.VerifyLeafCertificate(context.Background(), cert, issuer, conf)
require.NoError(t, err)
_, err = client.Logical().Write("pki/revoke", map[string]interface{}{
"serial_number": serialNumber,
})

3
changelog/25986.txt Normal file
View File

@@ -0,0 +1,3 @@
```release-note:bug
auth/cert: Address an issue in which OCSP query responses were not cached
```

17
sdk/helper/ocsp/client.go
View File

@@ -776,14 +776,29 @@ func (c *Client) extractOCSPCacheResponseValue(cacheValue *ocspCachedResponse, s
}, nil
}
sdkOcspStatus := internalStatusCodeToSDK(cacheValue.status)
return validateOCSP(&ocsp.Response{
ProducedAt: time.Unix(int64(cacheValue.producedAt), 0).UTC(),
ThisUpdate: time.Unix(int64(cacheValue.thisUpdate), 0).UTC(),
NextUpdate: time.Unix(int64(cacheValue.nextUpdate), 0).UTC(),
Status: int(cacheValue.status),
Status: sdkOcspStatus,
})
}
func internalStatusCodeToSDK(internalStatusCode ocspStatusCode) int {
switch internalStatusCode {
case ocspStatusGood:
return ocsp.Good
case ocspStatusRevoked:
return ocsp.Revoked
case ocspStatusUnknown:
return ocsp.Unknown
default:
return int(internalStatusCode)
}
}
/*
// writeOCSPCache writes a OCSP Response cache
func (c *Client) writeOCSPCache(ctx context.Context, storage logical.Storage) error {